[Oisf-users] BPF filter for a mid/high traffic throughput

Peter Manev petermanev at gmail.com
Wed Dec 19 06:48:31 UTC 2018

On Wed, Dec 19, 2018 at 7:43 AM Carlos Lopez <clopmz at outlook.com> wrote:
> Hi all,
> I need to monitor a network with a 4-5GiB traffic throughout per media with one Suricata 4.1.0 (under CentOS 7.6) sensor installed in a host with 64GB RAM and 16 phys cores. To avoid losing packets and/or CPU power analyzing large packets, I am thinking to capture  all client traffic, SYN/FIN packets and the first packet of server responses (for all protocols). For example,

You should be able to handle 4-5Gbps traffic with that configuration i
think without packet  loss (or something relatively small like 0.x% or
Did you experience big packet loss?

> for http requests a BPF filter that seems to work is:
> (tcp dst port 80 or (tcp src port 80 and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450))))
> Is this approach correct? But If I would do the same for all tcp and udp ports, is this bpf filter ok:
> (tcp and (tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 or tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x48545450)) or udp) ?
> Regards,
> C. L. Martinez
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

Peter Manev

More information about the Oisf-users mailing list